Login Sign Up

CVE-2021-38991

7.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows a non-privileged local user on affected IBM AIX and VIOS systems to exploit a flaw in the lscore command, potentially leading to arbitrary code execution with elevated privileges. It affects IBM AIX versions 7.0, 7.1, 7.2 and VIOS 3.1. The attacker must have local access to the system to exploit this vulnerability.

💻 Affected Systems

Products:
  • IBM AIX
  • IBM VIOS
Versions: AIX 7.0, 7.1, 7.2; VIOS 3.1
Operating Systems: IBM AIX, IBM VIOS
Default Config Vulnerable: ⚠️ Yes
Notes: All default installations of affected versions are vulnerable. The lscore command is part of the base operating system.

📦 What is this software?

Aix by Ibm

View all CVEs affecting Aix →

Aix by Ibm

View all CVEs affecting Aix →

Aix by Ibm

View all CVEs affecting Aix →

Vios by Ibm

View all CVEs affecting Vios →

⚠️ Risk & Real-World Impact

🔴

Worst Case

A local attacker gains root privileges and full control of the system, enabling data theft, persistence, lateral movement, and complete system compromise.

🟠

Likely Case

A local user with standard privileges escalates to root access, allowing them to install malware, modify system configurations, or access sensitive data.

🟢

If Mitigated

With proper access controls and monitoring, exploitation would be detected and contained, limiting impact to the affected system only.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring local user access, not remotely exploitable.
🏢 Internal Only: HIGH - Any compromised local account (including legitimate users with malicious intent) could exploit this to gain root privileges on affected systems.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires local user access but no special privileges. The vulnerability is in a standard system command, making exploitation straightforward for attackers with local access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: AIX: APAR IJ29938; VIOS: APAR IJ29939

Vendor Advisory: https://www.ibm.com/support/pages/node/6538952

Restart Required: Yes

Instructions:

1. Download the appropriate APAR from IBM Fix Central. 2. Install the patch using smit or installp command. 3. Reboot the system to complete the installation.

🔧 Temporary Workarounds

Remove execute permissions from lscore

aix

Temporarily remove execute permissions from the vulnerable lscore command to prevent exploitation while awaiting patching.

chmod -x /usr/sbin/lscore

Restrict access to lscore

aix

Use AIX role-based access control to restrict which users can execute the lscore command.

chuser roles=restricted_user username

🧯 If You Can't Patch

  • Implement strict access controls to limit local user accounts and monitor for suspicious activity
  • Deploy endpoint detection and response (EDR) solutions to detect privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check if system is running AIX 7.0, 7.1, 7.2 or VIOS 3.1 and has not applied the relevant APAR.

Check Version:

oslevel -s

Verify Fix Applied:

Verify APAR IJ29938 (AIX) or IJ29939 (VIOS) is installed using 'instfix -ik IJ29938' or check with 'oslevel -s'.

📡 Detection & Monitoring

Log Indicators:

  • Unusual lscore command execution patterns
  • Privilege escalation attempts in audit logs
  • Unexpected process creation with elevated privileges

Network Indicators:

  • None - this is a local exploit

SIEM Query:

Search for 'lscore' command execution followed by privilege escalation patterns or unusual process creation

📊 Metadata

CVE ID: CVE-2021-38991
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Published: January 11, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON